Additional Documentation for VMSA-2020-0006: Determining if a vCenter 6.7 deployment w/embedded or external Platform Services Controller (PSC) is affected by CVE-2020-3952
Article ID: 318802
Updated On:
Products
VMware vCenter Server
Issue/Introduction
On April 9th, 2020 VMSA-2020-0006 was published. This advisory documents a critical severity sensitive information disclosure vulnerability identified by CVE-2020-3952. As stated in the advisory, vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by CVE-2020-3952 if it was upgraded from a previous release line such as 6.0 or 6.5. Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected.
Environment
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.7.x
Resolution
Upgraded deployments will create a log entry when the vmdir service starts stating that legacy ACL mode is enabled.
Example:
2020-04-06T17:50:41.859003+00:00 info vmdird t@139910871058176: Domain Functional Level (1)
2020-04-06T17:50:41.859668+00:00 info vmdird t@139910871058176: VmDirKrbInit, REALM (VSPHERE.LOCAL)
2020-04-06T17:50:41.860526+00:00 info vmdird t@139910871058176: ACL MODE: Legacy
2020-04-06T17:50:41.864522+00:00 info vmdird t@139910871058176: VmDirBindServer() end-point type (ncalrpc), end-point name (vmdirsvc) VmDirRpcServerUseProtSeq() succeeded.
This vulnerability can be resolved by upgrading an affected deployment to 6.7u3f or 7.0.
Notes:
The Update History section of this article will be revised if there is a significant change. Click Subscribe to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories.
- Virtual Appliance Log File Location: /var/log/vmware/vmdird/vmdird-syslog.log
- Windows Log File Location: %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vmdird\vmdir.log
Example:
2020-04-06T17:50:41.859003+00:00 info vmdird t@139910871058176: Domain Functional Level (1)
2020-04-06T17:50:41.859668+00:00 info vmdird t@139910871058176: VmDirKrbInit, REALM (VSPHERE.LOCAL)
2020-04-06T17:50:41.860526+00:00 info vmdird t@139910871058176: ACL MODE: Legacy
2020-04-06T17:50:41.864522+00:00 info vmdird t@139910871058176: VmDirBindServer() end-point type (ncalrpc), end-point name (vmdirsvc) VmDirRpcServerUseProtSeq() succeeded.
This vulnerability can be resolved by upgrading an affected deployment to 6.7u3f or 7.0.
Notes:
- In order to be affected by CVE-2020-3952, a deployment must meet 2 criteria. First, it must be a 6.7 deployment prior to 6.7u3f. Second, it must be running in legacy ACL mode.
- Because the ACL MODE: Legacy log entry is only thrown at vmdir startup, it is possible that it will be absent due to log file rollover even on affected deployments. If needed, you may use the commands "service-control --stop vmdird" and "service-control --start vmdird" to restart VMDIR service to check the logs during startup. Refer to How to Stop, Start or Restart vCenter Server 6.x Services for more information on restating vCenter Server services.
- In case of External PSC deployments, you need to check the logs on PSC as VMDIR service is running on Platform Services Controller
- The ACL MODE: Legacy log entry will still be thrown after upgrading to 6.7u3f and/or 7.0 even though CVE-2020-3952 is resolved in these releases.
The Update History section of this article will be revised if there is a significant change. Click Subscribe to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories.
Feedback
Yes
No
Powered by
